Skip to content

CORE-14878: Migrate "Users" Admin API v1 Security Endpoints to v2 ConnectRPC API #29174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nguyen-andrew wants to merge 13 commits into
base: dev
Choose a base branch
from
Open

CORE-14878: Migrate "Users" Admin API v1 Security Endpoints to v2 ConnectRPC API #29174

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
19881b0
admin: Add SCRAM credential management stubs in Admin API v2
nguyen-andrew Dec 22, 2025
4e70125
dt/pb: Generate Ducktape protobuf clients
nguyen-andrew Dec 22, 2025
39e94b5
admin: Implement SCRAM credential creation in Admin API v2
nguyen-andrew Jan 2, 2026
cd9b1c0
admin: Implement SCRAM credential retrieval in Admin API v2
nguyen-andrew Jan 3, 2026
9a98801
admin: Implement SCRAM credential listing in Admin API v2
nguyen-andrew Jan 3, 2026
9866728
admin: Implement SCRAM credential update in Admin API v2
nguyen-andrew Jan 3, 2026
44c39b9
admin: Implement SCRAM credential deletion in Admin API v2
nguyen-andrew Jan 3, 2026
eed9680
admin/tests: unit tests for match_scram_credential
nguyen-andrew Jan 2, 2026
001cadf
admin/tests: unit tests for validate_scram_credential_name
nguyen-andrew Jan 2, 2026
09fcbb6
admin/tests: unit tests for validate_pb_scram_credential
nguyen-andrew Jan 2, 2026
5f6021d
admin/tests: unit tests for convert_to_security_scram_credential
nguyen-andrew Jan 2, 2026
d0f6850
admin/tests: add unit tests for convert_to_pb_scram_credential
nguyen-andrew Jan 2, 2026
12b732b
dt: Extend SCRAM tests to cover both v1 and v2 Admin APIs
nguyen-andrew Jan 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions proto/redpanda/core/admin/v2/BUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ proto_library(
"//proto/redpanda/core/pbgen:rpc_proto",
"@googleapis//google/api:field_behavior_proto",
"@googleapis//google/api:resource_proto",
"@protobuf//:field_mask_proto",
"@protobuf//:timestamp_proto",
],
)
Expand All @@ -117,6 +118,7 @@ redpanda_proto_library(
],
visibility = ["//visibility:public"],
deps = [
"//src/v/serde/protobuf:field_mask",
"@abseil-cpp//absl/time:time",
],
)
156 changes: 156 additions & 0 deletions proto/redpanda/core/admin/v2/security.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,62 @@ import "proto/redpanda/core/pbgen/rpc.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/protobuf/timestamp.proto";
import "google/protobuf/field_mask.proto";

option (pbgen.cpp_namespace) = "proto::admin";

// The SecurityService provides security-related operations.
service SecurityService {
// CreateScramCredential
//
// Create a SCRAM credential.
rpc CreateScramCredential(CreateScramCredentialRequest)
returns (CreateScramCredentialResponse) {
option (pbgen.rpc) = {
authz: SUPERUSER
};
}

// GetScramCredential
//
// Retrieve a SCRAM credential.
rpc GetScramCredential(GetScramCredentialRequest)
returns (GetScramCredentialResponse) {
option (pbgen.rpc) = {
authz: SUPERUSER
};
}

// ListScramCredentials
//
// List all SCRAM credentials.
rpc ListScramCredentials(ListScramCredentialsRequest)
returns (ListScramCredentialsResponse) {
option (pbgen.rpc) = {
authz: SUPERUSER
};
}

// UpdateScramCredential
//
// Update a SCRAM credential.
rpc UpdateScramCredential(UpdateScramCredentialRequest)
returns (UpdateScramCredentialResponse) {
option (pbgen.rpc) = {
authz: SUPERUSER
};
}

// DeleteScramCredential
//
// Delete a SCRAM credential.
rpc DeleteScramCredential(DeleteScramCredentialRequest)
returns (DeleteScramCredentialResponse) {
option (pbgen.rpc) = {
authz: SUPERUSER
};
}

// CreateRole
//
// Create a new Role resource.
Expand Down Expand Up @@ -134,6 +185,34 @@ service SecurityService {
/* Resources */
// =============================================

// The ScramCredential resource used for SCRAM authentication.
message ScramCredential {
option (google.api.resource) = {
type: "redpanda.core.admin.SecurityService/ScramCredential"
pattern: "scram_credentials/{scram_credential}"
};

// The name of the SCRAM credential.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.field_behavior) = IMMUTABLE
];

// The SCRAM mechanism.
enum ScramMechanism {
SCRAM_MECHANISM_UNSPECIFIED = 0;
SCRAM_MECHANISM_SCRAM_SHA_256 = 1;
SCRAM_MECHANISM_SCRAM_SHA_512 = 2;
}
Comment on lines +201 to +206
Copy link
Contributor

@michael-redpanda michael-redpanda Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if it would be useful to extract this to a common area of security. Maybe a security_types.proto


// The SCRAM mechanism used for this credential.
ScramMechanism mechanism = 2;

// The password for the SCRAM credential.
string password = 3
[debug_redact = true, (google.api.field_behavior) = INPUT_ONLY];
Comment on lines +211 to +213
Copy link
Contributor

@michael-redpanda michael-redpanda Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should also add a password_set_at field (a, la

redpanda/proto/redpanda/core/admin/v2/shadow_link.proto

Lines 466 to 469 in c3e36a2

// Timestamp of when the password was last set - only valid if password_set
// is true
google.protobuf.Timestamp password_set_at = 4
[(google.api.field_behavior) = OUTPUT_ONLY];
). This is so processes that are attempting to reconcile can have a signal as to when was the last time the password was changed.

I do think this may result in having to make controller updates to store the timestamp.

}

// The Role resource represents a security role with associated members.
message Role {
option (google.api.resource) = {
Expand All @@ -155,6 +234,83 @@ message Role {
/* RPC Requests and Responses */
// =============================================

// CreateScramCredentialRequest is the request for the CreateScramCredential
// RPC.
message CreateScramCredentialRequest {
// The SCRAM credential to create.
ScramCredential scram_credential = 1
[(google.api.field_behavior) = REQUIRED];
}

// CreateScramCredentialResponse is the response from the CreateScramCredential
// RPC.
message CreateScramCredentialResponse {
// The created SCRAM credential.
ScramCredential scram_credential = 1;
}

// GetScramCredentialRequest is the request for the GetScramCredential RPC.
message GetScramCredentialRequest {
// The name of the SCRAM credential to retrieve.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "redpanda.core.admin.SecurityService/ScramCredential"
}
];
}

// GetScramCredentialResponse is the response from the GetScramCredential RPC.
message GetScramCredentialResponse {
// The requested SCRAM credential.
ScramCredential scram_credential = 1;
}

// ListScramCredentialsRequest is the request for the ListScramCredentials RPC.
message ListScramCredentialsRequest {}

// ListScramCredentialsResponse is the response from the ListScramCredentials
// RPC.
message ListScramCredentialsResponse {
// The list of SCRAM credentials.
repeated ScramCredential scram_credentials = 1;
}

// UpdateScramCredentialRequest is the request for the UpdateScramCredential
// RPC.
message UpdateScramCredentialRequest {
// The SCRAM credential to update.
ScramCredential scram_credential = 1
[(google.api.field_behavior) = REQUIRED];

// The list of fields to update
// See [AIP-134](https://google.aip.dev/134) for how to use `field_mask`
google.protobuf.FieldMask update_mask = 2;
}

// UpdateScramCredentialResponse is the response from the UpdateScramCredential
// RPC.
message UpdateScramCredentialResponse {
// The updated SCRAM credential.
ScramCredential scram_credential = 1;
}

// DeleteScramCredentialRequest is the request for the DeleteScramCredential
// RPC.
message DeleteScramCredentialRequest {
// The name of the SCRAM credential to delete.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "redpanda.core.admin.SecurityService/ScramCredential"
}
];
}

// DeleteScramCredentialResponse is the response from the DeleteScramCredential
// RPC.
message DeleteScramCredentialResponse {}

// CreateRoleRequest is the request for the CreateRole RPC.
message CreateRoleRequest {
// The Role to create.
Expand Down
Loading
Loading